Information systems governance

• By: e.g. Chief Information Officer (CIO)
• Goal

• Strategic direction
• Achievement of objectives
• Manage risks
• Use resources responsibly

Information security governance

• By: e.g. Cheif Information Security Officer (CISO)
• InfoSec governance is not a subset of IT Governance
• This is a source of difficulty

• High level guidance, not specific guides on how to accomplish tasks
• The needs of the real-world dictate security policy
• Objectives are derived from the goals and environment of the organisation

• Clear policies are a key way that governance is exercised

The purpose of a security policy:

• to clearly and unambiguously express for security management and security solutions
• Goals and objectives
• Role, scope and boundaries

Policy defines security for a computing system by specifying:

• Security properties of the computing system
• Properties of the owning organisation
• Responsibilities of individuals

Principles Underlying Policy:

• Individual Accountability
• Authorisation
• Least Privilege
• Separation of duty
• Auditing
• Redundancy
• Risk Reduction

• Overview of corporate philosophy
• Information security organisation & responsibilities
• Responsibilities for security
• Shared by all members of organisation
• Which are unique to particular roles

• Supports vision and mission of the organisation
• Overview of security policy
• General principles
• In line with the mission and objectives of the organisation, e.g.
• An educational institution would focus on accessibility for a large, dynamic group of users (students)
• A financial institution would focus on controlling access for a more stable user population

1. Introduction and objectives
2. Statement of management intent
3. A framework for setting control objectives, risk assessment and management
4. Policies, principles, standards and compliance
5. Responsibilities
6. References

• Requires:
• Know-how - measures must be practical & make sense
• Power - must be enforceable.
• Clear definition and support of roles & responsibilities (part of governance)
• Due regard to legal and ethical considerations

• The Issue
• The organisation's position on the issue
• Applicability
• Roles and responsibilities
• Compliance
• Contacts and supplementary information

• The Issue
• Keeping people out
• Protecting hardware from loss or damage (or interference)
• The organisation's position on the issue
• Don't like it
• Applicability
• All general staff & students

• Roles and responsibilities
• Management: Ensuring staff are trained / monitored
• Security guards: monitoring, keeping things locked
• IT staff: keep things locked. Specifying physical security in procurement
• General staff & staff students: Keep own stuff safe. Alert if something strange. Don't take or damage equipment
• Compliance
• Who enforces
• Punishments
• Contacts and supplementary information

• Recruitment & Selection:
• Background
• Motivation
• Competence
• Training
• Joining & Leaving Protocols
• Non-disclosure agreements
• Keys & encryption

• Email
• Internet access
• Social media
• Incident response
• Prohibited uses

• What else do you think should have an issue-specific security policy?
• Should it focus on a specific technology or be principles based?

• Who can use the system?
• What can authorised users access?
• When can authorised users access the system?
• Where can authorised users access the system from?
• How can authorised users access the system?
• Which privileges do authorised users have (e.g. read, write, execute, delete)?

• Access Control List (ACL)

• How security policies are managed should be considered
• Policies should be regularly reviewed to ensure they are both relevant and are achieving the desired goals.
• Outdated policies may not address current business needs.

Embedding security into an organisation includes:

▪ Good governance that is in line with existing principles of

corporate governance

▪ Comprehensive management of cybercrime and cyber-warfare

risk and threats that is aligned with existing enterprise risk

management (ERM) systems

▪ Compliance with existing or planned EU-level and national

laws and regulations

▪ Resilience for organisational infrastructures and personnel

▪ Assurance for information, processes and related controls

• Under which jurisdiction(s) does the organisation operate and what specific laws apply to the organisation?
• By law, which information assets need to be protected?
• Scope and implementation of laws varies wildly across nations.
• Result: a patchwork of laws that may be challenging to navigate.
• How can these laws be incorporated into the organisation's security policy?
• It is essential to involve the legal department in cybersecurity decisions to verify what laws apply to an organisation
• Then there are the standards you need to comply with: ISO27000, PCI-DSS etc

• An important part of implementing InfoSec, but...
• Consider laws regarding unauthorized access
• The foundation of many of laws is built upon authorized access
• Critical for the security team to have written authorization from the system owners of any system that might be accessed in the process.
• This is particularly challenging when it comes to cloud-based systems, as ownership may not be apparent.

• Most security is dependent on people's behaviour
• If policies are to work, we need:
• the right people
• with the right skills
• that are motivated towards security objectives.
• The needs of security should not:
• infringe rights to privacy and dignity
• make work harder or more unpleasant.

• What is a "stakeholder"
  

• Someone with an interest in the company/process

Who are the stakeholders in InfoSec security policies?

• External
• Customers
• Suppliers
• Investors
• Internal
• Employees
• Management
• IT & Security staff
• Specialist: HR / lawyers etc

• Policies should be developed in conjunction with the stakeholders
• extremely valuable at the implementation phase
• Few things derail the policy process more than being given a new policy that completely disrupts a business unit's operations
• especially when the business unit had no input
• Engage your stakeholders
• The legal and compliance team should be consulted to ensure that legal and regulatory obligations are met
• System owners can provide valuable input about processes that may be impacted by a new policy
• Policies should have the appropriate executive sponsors to support their implementation
• Policy development is an iterative process and should be flexible enough to address changing goals

• Implementing policies is not as easy as publishing a new policy guide and placing it on the shelf or corporate intranet
• Existing processes must be evaluated against the new policy and updated as necessary
• If a needed process does not exist, it must be created to support the policy
• Organisational culture should be considered when implementing new policies and processes
• Some organisations are very dynamic, while others are slow to change